I do feel that exploits should be released to the vendors before disclosure. Back in my hay-day of finding exploits, I had a set ruling:

Find exploit

Send any/all contacts for vendor an e-mail outlining the exploit

Wait 7 days

If no response, release exploit as live, otherwise publish it as is. Both scenarios would be labelled as vendor-notified

This was simple: in the e-mail, I would provide the software name and version, OS if needed along with any other system specifics, what the exploit is, does and how to patch it. I would also include a note saying that if no response is received within 7 days, the exploit will be released to the world.

My view was that it is up to the vendor at that point to either fix it, or not. None of the exploits I found was extensive (i.e.: sifting through the code of Virtual Box to find out a memory leak happens when some action occurs). It was mostly beginner stuff, such as local/remote file inclusion and cross-site scripting. Some vendors responded back, most didn’t. Out of those who did, I had a long-lasting relationship with one in fixing exploits for him.

I do not, however, condone the releasing of such information to the public without properly informing the vendor first, however (unless of course they cannot be reached). I never classified myself as any type of hat, but if I had to it’d be grey. I didn’t find exploits to ruin the lives of people, I found them because I love security. I wanted to reach out to those who needed help, and do my best. However, with-holding valuable information such as exploits for personal gain of any sort is far from beneficial to anyone, even yourself. For every exploit you can find, there’s someone out there who can find more, and they may give away your exploit before you have the chance.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your reply...

There was an error processing your information. Please try again later.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States.
Privacy

Processing your reply...

About This Blog

Tools and tips to assist you in your Linux lifestyle. While deviating sometimes to other operating systems, or off-topic discussions, the focus of this blog is to bring a new life to the Linux world, and hopefully a new insight to the happenings in the Linux and open source community as a whole.